Snort and blocking access to cctv system



  • I have been able to connect from my mobile to my camera system fine up until i installed snort

    I have suppressed the entry, but the port seems to change often, how can i change it so it is never blocked by snort?

    Thanks



  • @techy82:

    I have been able to connect from my mobile to my camera system fine up until i installed snort

    I have suppressed the entry, but the port seems to change often, how can i change it so it is never blocked by snort?

    Thanks

    This does not make sense.  Do you mean the IP changes often perhaps?  You can suppress by IP, IP range or an entire network block.  You could also just disable the offending rule.

    Bill



  • I have suppressed several of the actual rules, but after a while the app seems to cause snort to flag another type of rule and I have to suppress it again, I have put 3 in place so far



  • Oh…OK.  That is the nature of some of Snort's aggressiveness with enforcing HTTP_INSPECT compliance (mostly).  Are the blocks happening from those kinds of rules (the HTTP_INSPECT preprocessor)?  If so, I suggest disabling all of the HTTP_INSPECT rules that fire.  Many legitimate web sites today will run afoul of the strict RFC compliance those rules attempt to enforce.

    If you suppress by IP and your CCTV cameras always have the same IP, then you should not get further blocks.  It will take a little time for you to find and fix the false positives, though.  There is no such thing in IDS/IPS as "turn it on and forget about it".  You always must tune and filter the rule set for a particular environment.

    Bill



  • The way I set mine up at home was without blocking mode enabled for a few weeks. That way nothing was actually getting blocked when an alert was triggered. I would of course need to check all alerts, and fortunately all were not major. I think I suppressed like 13 or 14 rules over the course of the non-blocking period, and when I didn't see any further alerts for a week, I put it in blocking mode. Most of the ones I suppressed were HTTP or HTTPS related, though I did also get a couple of SIP ones since my VoIP provider breaks the caller ID length (they add the country code to the number, making it longer than normal).

    Of course, like I mentioned, my setup is at a home and not a business… but you should be able to do something similar there too. Just keep an eye on the alerts a little more often during the non-blocking period and make sure they're harmless before you suppress them.